I’m sure many of you are aware of the Petya variant surge we’re facing today. Here’s what we know this far:

Original outbreak occurred in the Ukraine early this morning, impacting power companies, petrol stations, airlines, etc.

Since then, it has spread to systems throughout Europe and the U.S.

The code uses a variant of ExternalBlue along with Mimikatz running against LSASS.EXE for cred grabs, PSExec tools and WMIC to have a worm-like spread.

The email account associated with the bitcoin ransom demand ($300) has since been disabled so decryption keys are pretty much out of the question now.

As of 15:30 GMT-6 a total of 31 bitcoin payments have been made.

Unlike other ransomware, this not only encrypts an assortment of file extensions but upon forcing a system reboot, it will also encrypt the Windows MFR and display the ransom message.

There is no kill switch.

I will update this post as more details surface.

Including some code review screen scrapes from trusted analysts.

Kaspersky Update:

This is Kaspersky Lab statement on NotPetya ransomware attacks reported 27 June

Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. That is why we have temporarily named it NotPetya.

The company’s telemetry data indicates around 2,000 attacked users so far. Organizations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries.

This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.

Kaspersky Lab experts aim to release new signatures, including for the System Watcher component as soon as possible and to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can.

We advise all companies to update their Windows software, to check their security solution and ensure they have back up and ransomware detection in place.

Kaspersky Lab corporate customers are also advised to:

• Check that all protection is activated as recommended; and that they have enabled the KSN/System Watcher component. • Use the AppLocker feature to disable the execution of any files that carry the name “perfc.dat”; as well as the• PSExec utility from Sysinternals Suite.

Archives

Get My New Book!

Duncan is currently authoring a new book, Advanced Windows Security, due to be published Summer 2017 through LeanPub.
This full-length “living” e-book is designed with the Windows SysAdmin in mind, covering the best and latest technologies from Microsoft to help provide a defense-in-depth approach for your organisation’s security posture. Over 20 topic areas are covered with deep-tissue dives right into the true subject matter so you can immediately apply these recipes in your own environments, helping to protect and defend yourselves against today’s cyber threats.
For more information, including notification upon release, please visit: https://leanpub.com/advancedwindowssecurity/